[PATCH] test/cxl-mbox: Regression test for huge CXL_MEM_SEND_COMMAND out.size

[PATCH] test/cxl-mbox: Regression test for huge CXL_MEM_SEND_COMMAND out.size

[Richard Cheng]

Implement a regression test for unbounded kvzalloc() in the kernel's
cxl_mbox_cmd_ctor(), which a CXL_MEM_SEND_COMMAND with an out.size
greater than INT_MAX could drive into a size > INT_MAX kvmalloc() WARN.

libcxl's cxl_cmd_set_output_payload() rejects an out.size larger than
the mailbox payload_max, so the test crafts a raw struct
cxl_send_command and issues the CXL_MEM_SEND_COMMAND ioctl directly
against the cxl_test mock memdev.

The test is for a kernel bug fix [1].

[1]: https://lore.kernel.org/all/20260624144147.53997-1-icheng@nvidia.com/
Signed-off-by: Richard Cheng <icheng@nvidia.com>
---
 test/cxl-mbox.c  | 129 +++++++++++++++++++++++++++++++++++++++++++++++
 test/cxl-mbox.sh |  48 ++++++++++++++++++
 2 files changed, 177 insertions(+)
 create mode 100644 test/cxl-mbox.c
 create mode 100755 test/cxl-mbox.sh

diff --git a/test/cxl-mbox.c b/test/cxl-mbox.c
new file mode 100644
index 0000000..d81327b
--- /dev/null
+++ b/test/cxl-mbox.c
@@ -0,0 +1,129 @@
+// SPDX-License-Identifier: GPL-2.0
+// Copyright (C) 2026 Nvidia Corporation. All rights reserved.
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <cxl/libcxl.h>
+#include <cxl/cxl_mem.h>
+
+static const char provider[] = "cxl_test";
+
+/*
+ * The cxl_test mock advertises a 4 KiB (SZ_4K) mailbox payload_size and
+ * IDENTIFY returns a full struct cxl_mbox_identify. Post-fix the kernel
+ * clamps the output allocation to payload_size and copies that many bytes
+ * back into out.payload, so the buffer must be >= payload_size. 64 KiB is
+ * comfortably above the mock's 4 KiB payload.
+ */
+#define OUT_BUF_SIZE	(64 * 1024)
+
+/*
+ * Regression for the unbounded kvzalloc() in cxl_mbox_cmd_ctor() driven by a
+ * huge CXL_MEM_SEND_COMMAND out.size. The kernel fix CLAMPS the output
+ * allocation to the mailbox payload_size; it does not reject the request.
+ * Assert the ioctl SUCCEEDS (no -ENOMEM) -- do NOT assert -EINVAL.
+ */
+static int test_cxl_mbox_huge_out_size(struct cxl_memdev *memdev)
+{
+	struct cxl_send_command c = { 0 };
+	const char *devname;
+	char path[256];
+	void *buf;
+	int fd, rc;
+
+	devname = cxl_memdev_get_devname(memdev);
+	if (!devname)
+		return -ENODEV;
+
+	snprintf(path, sizeof(path), "/dev/cxl/%s", devname);
+
+	fd = open(path, O_RDWR);
+	if (fd < 0) {
+		if (errno == ENOENT || errno == ENODEV)
+			return -ENODEV;
+		fprintf(stderr, "failed to open %s: %s\n", path,
+			strerror(errno));
+		return -errno;
+	}
+
+	buf = calloc(1, OUT_BUF_SIZE);
+	if (!buf) {
+		rc = -ENOMEM;
+		goto out;
+	}
+
+	c.id = CXL_MEM_COMMAND_ID_IDENTIFY;
+	/*
+	 * 0x80000000 (2^31, > INT_MAX) is the proven reproducer that trips the
+	 * size > INT_MAX kvmalloc() WARN. out.size is __s32 in this vendored
+	 * UAPI; cast to avoid -Woverflow, the kernel reads the same 4 bytes
+	 * (kernel UAPI declares it __u32).
+	 */
+	c.out.size = (typeof(c.out.size))0x80000000U;
+	c.out.payload = (__u64)(uintptr_t)buf;
+
+	rc = ioctl(fd, CXL_MEM_SEND_COMMAND, &c);
+
+	/* Pass iff the kernel clamped (success), not rejected. */
+	if (rc == 0 && c.retval == 0) {
+		rc = 0;
+		goto out;
+	}
+
+	fprintf(stderr,
+		"CXL_MEM_SEND_COMMAND huge out.size mishandled: rc=%d errno=%d retval=%u\n",
+		rc, errno, c.retval);
+	rc = -ENXIO;
+
+out:
+	free(buf);
+	close(fd);
+	return rc;
+}
+
+static int test_cxl_mbox(struct cxl_ctx *ctx, struct cxl_bus *bus)
+{
+	struct cxl_memdev *memdev;
+
+	cxl_memdev_foreach(ctx, memdev) {
+		if (cxl_memdev_get_bus(memdev) != bus)
+			continue;
+		return test_cxl_mbox_huge_out_size(memdev);
+	}
+
+	return -ENODEV;
+}
+
+int main(int argc, char *argv[])
+{
+	struct cxl_ctx *ctx;
+	struct cxl_bus *bus;
+	int rc;
+
+	rc = cxl_new(&ctx);
+	if (rc < 0)
+		return rc;
+
+	cxl_set_log_priority(ctx, LOG_DEBUG);
+
+	bus = cxl_bus_get_by_provider(ctx, provider);
+	if (!bus) {
+		fprintf(stderr, "%s: unable to find bus (%s)\n",
+			argv[0], provider);
+		rc = -ENODEV;
+		goto out;
+	}
+
+	rc = test_cxl_mbox(ctx, bus);
+
+out:
+	cxl_unref(ctx);
+	return rc;
+}
diff --git a/test/cxl-mbox.sh b/test/cxl-mbox.sh
new file mode 100755
index 0000000..67fecf5
--- /dev/null
+++ b/test/cxl-mbox.sh
@@ -0,0 +1,48 @@
+#!/bin/bash -Ex
+# SPDX-License-Identifier: GPL-2.0
+# Copyright (C) 2026 Nvidia Corporation. All rights reserved.
+
+. $(dirname "$0")/common
+
+BIN="$TEST_PATH"/cxl-mbox
+rc=77
+# 237 is -ENODEV
+ERR_NODEV=237
+# TAINT_WARN is bit 9
+TAINT_WARN=512
+
+trap 'err $LINENO' ERR
+
+modprobe -r cxl_test 2>/dev/null
+modprobe cxl_test
+# cxl_test alone does not autoload the mock memdev module on this box
+modprobe cxl_mock_mem
+
+main()
+{
+	test -x "$BIN" || do_skip "no CXL mailbox test"
+
+	t0=$(cat /proc/sys/kernel/tainted)
+
+	rc=0
+	"$BIN" || rc=$?
+
+	t1=$(cat /proc/sys/kernel/tainted)
+
+	echo "status: $rc"
+	if [ "$rc" -eq "$ERR_NODEV" ]; then
+		do_skip "no cxl_test memdev"
+	elif [ "$rc" -ne 0 ]; then
+		echo "fail: $LINENO" && exit 1
+	fi
+
+	if (( (t1 & TAINT_WARN) && !(t0 & TAINT_WARN) )); then
+		echo "fail: $LINENO kernel WARN taint (bit 9) set" && exit 1
+	fi
+
+	_cxl_cleanup
+}
+
+{
+	main "$@"; exit "$?"
+}

base-commit: 8ad90e54f0ff4f7291e7f21d44d769d10f24e2b6
-- 
2.43.0

Re: [PATCH] test/cxl-mbox: Regression test for huge CXL_MEM_SEND_COMMAND out.size

[Richard Cheng]

On Wed, Jun 24, 2026 at 10:58:43PM +0800, Richard Cheng wrote:
> Implement a regression test for unbounded kvzalloc() in the kernel's
> cxl_mbox_cmd_ctor(), which a CXL_MEM_SEND_COMMAND with an out.size
> greater than INT_MAX could drive into a size > INT_MAX kvmalloc() WARN.
> 
> libcxl's cxl_cmd_set_output_payload() rejects an out.size larger than
> the mailbox payload_max, so the test crafts a raw struct
> cxl_send_command and issues the CXL_MEM_SEND_COMMAND ioctl directly
> against the cxl_test mock memdev.
> 
> The test is for a kernel bug fix [1].
> 
> [1]: https://lore.kernel.org/all/20260624144147.53997-1-icheng@nvidia.com/
> Signed-off-by: Richard Cheng <icheng@nvidia.com>

Sorry, forgot to add the ndctl prefix, please ignore this one.
I'll resend it.

Best regards,
Richard Cheng.

> ---
>  test/cxl-mbox.c  | 129 +++++++++++++++++++++++++++++++++++++++++++++++
>  test/cxl-mbox.sh |  48 ++++++++++++++++++
>  2 files changed, 177 insertions(+)
>  create mode 100644 test/cxl-mbox.c
>  create mode 100755 test/cxl-mbox.sh
> 
> diff --git a/test/cxl-mbox.c b/test/cxl-mbox.c
> new file mode 100644
> index 0000000..d81327b
> --- /dev/null
> +++ b/test/cxl-mbox.c
> @@ -0,0 +1,129 @@
> +// SPDX-License-Identifier: GPL-2.0
> +// Copyright (C) 2026 Nvidia Corporation. All rights reserved.
> +#include <errno.h>
> +#include <fcntl.h>
> +#include <stdio.h>
> +#include <stdint.h>
> +#include <stddef.h>
> +#include <stdlib.h>
> +#include <syslog.h>
> +#include <string.h>
> +#include <unistd.h>
> +#include <sys/ioctl.h>
> +#include <cxl/libcxl.h>
> +#include <cxl/cxl_mem.h>
> +
> +static const char provider[] = "cxl_test";
> +
> +/*
> + * The cxl_test mock advertises a 4 KiB (SZ_4K) mailbox payload_size and
> + * IDENTIFY returns a full struct cxl_mbox_identify. Post-fix the kernel
> + * clamps the output allocation to payload_size and copies that many bytes
> + * back into out.payload, so the buffer must be >= payload_size. 64 KiB is
> + * comfortably above the mock's 4 KiB payload.
> + */
> +#define OUT_BUF_SIZE	(64 * 1024)
> +
> +/*
> + * Regression for the unbounded kvzalloc() in cxl_mbox_cmd_ctor() driven by a
> + * huge CXL_MEM_SEND_COMMAND out.size. The kernel fix CLAMPS the output
> + * allocation to the mailbox payload_size; it does not reject the request.
> + * Assert the ioctl SUCCEEDS (no -ENOMEM) -- do NOT assert -EINVAL.
> + */
> +static int test_cxl_mbox_huge_out_size(struct cxl_memdev *memdev)
> +{
> +	struct cxl_send_command c = { 0 };
> +	const char *devname;
> +	char path[256];
> +	void *buf;
> +	int fd, rc;
> +
> +	devname = cxl_memdev_get_devname(memdev);
> +	if (!devname)
> +		return -ENODEV;
> +
> +	snprintf(path, sizeof(path), "/dev/cxl/%s", devname);
> +
> +	fd = open(path, O_RDWR);
> +	if (fd < 0) {
> +		if (errno == ENOENT || errno == ENODEV)
> +			return -ENODEV;
> +		fprintf(stderr, "failed to open %s: %s\n", path,
> +			strerror(errno));
> +		return -errno;
> +	}
> +
> +	buf = calloc(1, OUT_BUF_SIZE);
> +	if (!buf) {
> +		rc = -ENOMEM;
> +		goto out;
> +	}
> +
> +	c.id = CXL_MEM_COMMAND_ID_IDENTIFY;
> +	/*
> +	 * 0x80000000 (2^31, > INT_MAX) is the proven reproducer that trips the
> +	 * size > INT_MAX kvmalloc() WARN. out.size is __s32 in this vendored
> +	 * UAPI; cast to avoid -Woverflow, the kernel reads the same 4 bytes
> +	 * (kernel UAPI declares it __u32).
> +	 */
> +	c.out.size = (typeof(c.out.size))0x80000000U;
> +	c.out.payload = (__u64)(uintptr_t)buf;
> +
> +	rc = ioctl(fd, CXL_MEM_SEND_COMMAND, &c);
> +
> +	/* Pass iff the kernel clamped (success), not rejected. */
> +	if (rc == 0 && c.retval == 0) {
> +		rc = 0;
> +		goto out;
> +	}
> +
> +	fprintf(stderr,
> +		"CXL_MEM_SEND_COMMAND huge out.size mishandled: rc=%d errno=%d retval=%u\n",
> +		rc, errno, c.retval);
> +	rc = -ENXIO;
> +
> +out:
> +	free(buf);
> +	close(fd);
> +	return rc;
> +}
> +
> +static int test_cxl_mbox(struct cxl_ctx *ctx, struct cxl_bus *bus)
> +{
> +	struct cxl_memdev *memdev;
> +
> +	cxl_memdev_foreach(ctx, memdev) {
> +		if (cxl_memdev_get_bus(memdev) != bus)
> +			continue;
> +		return test_cxl_mbox_huge_out_size(memdev);
> +	}
> +
> +	return -ENODEV;
> +}
> +
> +int main(int argc, char *argv[])
> +{
> +	struct cxl_ctx *ctx;
> +	struct cxl_bus *bus;
> +	int rc;
> +
> +	rc = cxl_new(&ctx);
> +	if (rc < 0)
> +		return rc;
> +
> +	cxl_set_log_priority(ctx, LOG_DEBUG);
> +
> +	bus = cxl_bus_get_by_provider(ctx, provider);
> +	if (!bus) {
> +		fprintf(stderr, "%s: unable to find bus (%s)\n",
> +			argv[0], provider);
> +		rc = -ENODEV;
> +		goto out;
> +	}
> +
> +	rc = test_cxl_mbox(ctx, bus);
> +
> +out:
> +	cxl_unref(ctx);
> +	return rc;
> +}
> diff --git a/test/cxl-mbox.sh b/test/cxl-mbox.sh
> new file mode 100755
> index 0000000..67fecf5
> --- /dev/null
> +++ b/test/cxl-mbox.sh
> @@ -0,0 +1,48 @@
> +#!/bin/bash -Ex
> +# SPDX-License-Identifier: GPL-2.0
> +# Copyright (C) 2026 Nvidia Corporation. All rights reserved.
> +
> +. $(dirname "$0")/common
> +
> +BIN="$TEST_PATH"/cxl-mbox
> +rc=77
> +# 237 is -ENODEV
> +ERR_NODEV=237
> +# TAINT_WARN is bit 9
> +TAINT_WARN=512
> +
> +trap 'err $LINENO' ERR
> +
> +modprobe -r cxl_test 2>/dev/null
> +modprobe cxl_test
> +# cxl_test alone does not autoload the mock memdev module on this box
> +modprobe cxl_mock_mem
> +
> +main()
> +{
> +	test -x "$BIN" || do_skip "no CXL mailbox test"
> +
> +	t0=$(cat /proc/sys/kernel/tainted)
> +
> +	rc=0
> +	"$BIN" || rc=$?
> +
> +	t1=$(cat /proc/sys/kernel/tainted)
> +
> +	echo "status: $rc"
> +	if [ "$rc" -eq "$ERR_NODEV" ]; then
> +		do_skip "no cxl_test memdev"
> +	elif [ "$rc" -ne 0 ]; then
> +		echo "fail: $LINENO" && exit 1
> +	fi
> +
> +	if (( (t1 & TAINT_WARN) && !(t0 & TAINT_WARN) )); then
> +		echo "fail: $LINENO kernel WARN taint (bit 9) set" && exit 1
> +	fi
> +
> +	_cxl_cleanup
> +}
> +
> +{
> +	main "$@"; exit "$?"
> +}
> 
> base-commit: 8ad90e54f0ff4f7291e7f21d44d769d10f24e2b6
> -- 
> 2.43.0
> 

Re: [PATCH] test/cxl-mbox: Regression test for huge CXL_MEM_SEND_COMMAND out.size

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [Medium] User-space ndctl test patch mistakenly submitted to the Linux kernel tree.
- [Medium] Brittle error handling in test script module loading.
--

commit d71b88195f1dc438adbcafc668b1cd91cd8a75fe
Author: Richard Cheng <icheng@nvidia.com>

test/cxl-mbox: Regression test for huge CXL_MEM_SEND_COMMAND out.size

This commit introduces a regression test for a CXL mailbox issue where a huge
out.size parameter could trigger a size > INT_MAX kvmalloc() WARN. The test
uses the cxl_test mock memdev and directly issues the CXL_MEM_SEND_COMMAND
ioctl.

Link: https://lore.kernel.org/all/20260624144147.53997-1-icheng@nvidia.com/

> diff --git a/test/cxl-mbox.c b/test/cxl-mbox.c
> new file mode 100644
> index 0000000000000..d81327ba17df4
> --- /dev/null
> +++ b/test/cxl-mbox.c
> @@ -0,0 +1,129 @@
> +// SPDX-License-Identifier: GPL-2.0
> +// Copyright (C) 2026 Nvidia Corporation. All rights reserved.
> +#include <errno.h>
> +#include <fcntl.h>
> +#include <stdio.h>
> +#include <stdint.h>
> +#include <stddef.h>
> +#include <stdlib.h>
> +#include <syslog.h>
> +#include <string.h>
> +#include <unistd.h>
> +#include <sys/ioctl.h>
> +#include <cxl/libcxl.h>

[Severity: Medium]
Is this test actually intended for the ndctl repository rather than the Linux
kernel tree? It looks like it includes <cxl/libcxl.h>, which is an ndctl
user-space library header not present in the Linux kernel tree.

[ ... ]

> diff --git a/test/cxl-mbox.sh b/test/cxl-mbox.sh
> new file mode 100755
> index 0000000000000..67fecf5a3f46f
> --- /dev/null
> +++ b/test/cxl-mbox.sh
> @@ -0,0 +1,48 @@
> +#!/bin/bash -Ex
> +# SPDX-License-Identifier: GPL-2.0
> +# Copyright (C) 2026 Nvidia Corporation. All rights reserved.
> +
> +. $(dirname "$0")/common

[Severity: Medium]
Does this source a 'common' test framework script from ndctl that does not
exist in the kernel tree?

> +
> +BIN="$TEST_PATH"/cxl-mbox
> +rc=77
> +# 237 is -ENODEV
> +ERR_NODEV=237
> +# TAINT_WARN is bit 9
> +TAINT_WARN=512
> +
> +trap 'err $LINENO' ERR
> +
> +modprobe -r cxl_test 2>/dev/null
> +modprobe cxl_test
> +# cxl_test alone does not autoload the mock memdev module on this box
> +modprobe cxl_mock_mem

[Severity: Medium]
Because this script runs with set -e (from the #!/bin/bash -Ex line), will
these unprotected modprobe commands immediately trigger the ERR trap and
abort the script if the modules are missing, instead of gracefully skipping
the test?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260624145843.55116-1-icheng@nvidia.com?part=1